x-tweet-by-url
Fail
Audited by Gen Agent Trust Hub on Jul 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The execution logic in
SKILL.mdutilizes an unsafe pattern for running local scripts:META=$(python scripts/classify-url.py '{url}'). This instruction is highly susceptible to shell command injection because the{url}variable is directly interpolated into a bash command string without escaping or sanitization. An attacker providing a URL containing shell metacharacters (e.g.,;,`,$(...)) could execute arbitrary commands on the host system with the privileges of the agent. - [PROMPT_INJECTION]: The skill processes untrusted data from X, creating an attack surface for indirect prompt injection where malicious instructions embedded in tweets could influence the agent's subsequent actions.
- Ingestion points: Untrusted content is ingested from X timelines (search results, user profiles, lists, and tweet details) in
SKILL.mdand processed byscripts/parse-tweets.py. - Boundary markers: There are no specific delimiters or instruction-level warnings defined to isolate the scraped tweet text from the agent's operational instructions.
- Capability inventory: The agent has the capability to execute shell commands via the
bashtool and perform browser automation/network monitoring viabrowser-act. - Sanitization: Neither
SKILL.mdnor the Python scripts perform any sanitization, filtering, or validation of the tweet content to prevent it from being interpreted as instructions by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata